Android’s built-in malware scanner gets a failing grade

Just 20 percent of malicious apps detected.

A computer scientist has uncovered weaknesses in the application verification service Google recently rolled out to help users detect malicious apps on their Android smartphones and tablets.

"By introducing this new app verification service in Android 4.2, Google has shown its commitment to continuously improve security on Android," Xuxian Jiang, a professor of computer science at North Carolina State University, wrote in a brief report published Monday. "However, based on our evaluation results, we feel this service is still nascent and there exists room for improvement."

Jiang exposed Nexus 10 tablets running the Jelly Bean version of Android to 1,260 samples of malicious apps and found that the built-in scanner detected only 193 of them. That indicates a detection rate of just 15.32 percent.

Jiang also found the performance of Google's app verification lagged well behind the performance of 10 representative antivirus apps offered by third-party companies such as Avast, Symantec, and Kaspersky Lab. He did this by picking a pseudo random code sample from each of 49 malware families. Overall, the detection rates of the AV packages was 51 percent to 100 percent, compared with 20 percent for the Google service, which is included with the Google Play app. The scanning service, which examines apps downloaded from Google Play as well as alternate sources, is optional, although it's on by default. Jiang's report didn't rank the specific AV apps or list the detection rates for each one by name.

A chief reason the app verification service misses so much malware is its reliance on cryptographic hash signatures to identify apps known to be malicious.

"This mechanism is fragile and can be easily bypassed," Jiang wrote. "It is already known that attackers can change with ease the checksums of existing malware (e.g., by repackaging or mutating it). To be more effective, additional information about the app may need to be collected. However, how to determine the extra information for collection is still largely unknown—especially given user privacy concerns."

Jiang also faulted the service for hosting the scanner solely in the cloud rather than using some sort of client-side solution.

"Unfortunately, it is not realistic to assume that the server side has all existing malware samples (especially with limited information such as app checksums and package names)," he wrote. "From another perspective, the client side, in the current implementation, does not have any detection capability, which suggests possible opportunity for enhancement. However, due to the limited processing and communication power on mobile devices, we need to strike a delicate balance on how much detection capability can and should be offloaded."

Jiang said VirusTotal, the free app-scanning website recently acquired by Google, also outperformed the app verification service. He said the service is likely to improve if it integrates VirusTotal.

Jiang's findings are sure to be hailed by makers of standalone apps that detect Android malware, like Lookout. On Friday, the company said an update it had pushed out mistakenly flagged legitimate apps, including one offered by Movie service Fandango, as malicious. The mistake was detected and fixed about an hour later.

No upgrades to your software? Buy a Nexus. No bug fixes? Buy a Nexus. Crappy battery life? A Nexus is no worse than your random smartphone. Security issues? Use the Play Store and some !"#&)% common sense.

There are advantages to every platform. Just because you don't find Android's useful doesn't mean everyone who does is an idiot. You're just as shortsighted as those you're criticizing.

Not to mention doing this on a computer Mac/PC/linux would likely yield some bad results as well... If these are not well known or known apps then its based on heuristics and that as we all know is not exact...

And throwing 1500 malicious apps at a jail broken iPhone would yield what results...

Just saying most users android and iphone get their apps from the stores... and not from some shady site...

Where these apps from the Google Play store?

The difference is that with Android, it's a checkbox away from installing apps from other sources, which some people do for legit or not so legit reasons.

With Apple's devices, you need to jump through hoops and it's not currently possible on the A6.

With Windows 7/8 devices, it's not possible IIRC but I could be wrong.

By default there is not an issue...

That is like saying well you CAN install anything you want off the interwebs onto your machine... This is not a fair assessment for any anti-virus/malware title. This would fail in almost any circumstance on any device/OS/machine... There are just too many variables, and to much margin for error.

If these were all drive-by attacks then it would be different, its not...

edit: not to mention as malware detection gets better false positives always go up... IMO false positives are even worse - as they often alarm a user for no reason, and can (as we have seen many times in the past) render a system or MANY systems un-usable... There is a delicate balance here.... But this is not a very good study...

And throwing 1500 malicious apps at a jail broken iPhone would yield what results...

Just saying most users android and iphone get their apps from the stores... and not from some shady site...

Where these apps from the Google Play store?

What does Apple have to do with this story? There is a security problem with Android. Several actually. You can of course avoid a lot of it by only using the Play Store, and not installing a different ROM. And live in the walled garden you rail against.

Typical virus/malware scare article. Just follow the security basics and you will almost assuredly be fine. Of course a power user or someone into trying the newest and latest will need to be more careful.

And throwing 1500 malicious apps at a jail broken iPhone would yield what results...

Just saying most users android and iphone get their apps from the stores... and not from some shady site...

Where these apps from the Google Play store?

What does Apple have to do with this story? There is a security problem with Android. Several actually. You can of course avoid a lot of it by only using the Play Store, and not installing a different ROM. And live in the walled garden you rail against.

Apple does not have anything to do with the story - I was stating that the test is not a very good representation of the real world... And is flawed. Doing this same test on any platform yields less than stellar results. Especially on computers - as many people use "free" av products and many have detection rates in the 50-65% and many cant reliably remove infections.

ALSO as I stated FPs are a big deal - and the AV titles that work the best also yield the highest false positives... FPs can cause even more issues then actual malware as sometimes (as we have seen) they will cause issues across many thousands of computers in one update...

I love the defensiveness in the comments. But but but but APPLE!!! Apple doesn't come into this, this is purely an Android issue. Comments that you should avoid shady repositories is absolutely correct, although as has been pointed out, if you're in China you may not have much choice.

And throwing 1500 malicious apps at a jail broken iPhone would yield what results...

Just saying most users android and iphone get their apps from the stores... and not from some shady site...

Where these apps from the Google Play store?

What does Apple have to do with this story? There is a security problem with Android. Several actually. You can of course avoid a lot of it by only using the Play Store, and not installing a different ROM. And live in the walled garden you rail against.

There is a security problem with Android?

A greatly exaggerated one.

Downloading untrusted files is the issue rather than Android, to be able to do this you need to take extra steps, this ensures it doesn't happen to the uninitiated and anyone who does decide to download untrusted files from untrusted sources can't be protected anyway.

Anyway, I'm sure Google can tighten up this scanning process no doubt they will, but in the meantime I'm yet to see anyone outside of lab conditions, Apple fanboy posts or anti-virus vendors marketing have an issue and considering Android's ridiculously large install-base & speed of growth is pretty impressive.

And throwing 1500 malicious apps at a jail broken iPhone would yield what results...

Just saying most users android and iphone get their apps from the stores... and not from some shady site...

Where these apps from the Google Play store?

What does Apple have to do with this story? There is a security problem with Android. Several actually. You can of course avoid a lot of it by only using the Play Store, and not installing a different ROM. And live in the walled garden you rail against.

There is a security problem with Android?

A greatly exaggerated one.

Downloading untrusted files is the issue rather than Android, to be able to do this you need to take extra steps, this ensures it doesn't happen to the uninitiated and anyone who does decide to download untrusted files from untrusted sources can't be protected anyway.

Anyway, I'm sure Google can tighten up this scanning process no doubt they will, but in the meantime I'm yet to see anyone outside of lab conditions, Apple fanboy posts or anti-virus vendors marketing have an issue and considering Android's ridiculously large install-base & speed of growth is pretty impressive.

No upgrades to your software? Buy a Nexus. No bug fixes? Buy a Nexus. Crappy battery life? A Nexus is no worse than your random smartphone. Security issues? Use the Play Store and some !"#&)% common sense.

There are advantages to every platform. Just because you don't find Android's useful doesn't mean everyone who does is an idiot. You're just as shortsighted as those you're criticizing.

Idea for Play Store:Make a vetting process, like Apple has. But make it optional (and make it cost something). If your app is vetted, it gets a logo, a piece of flair, kind of like Twitter's Verified Accounts.

I think the problem with this study is that it didn't compare the alternatives to the built-in solution. Which means we have no idea how many samples they would have detected, perhaps the built-in solution, detected 20% more other options.

Furthermore I have seen what Lookout does to my phone's performance and battery, lets just say, I stop using it after I realized my phone was dead after less than 24 hours.

Despite being reported the Amazon and Google application stores do not have that many malicious applications on them. Most if not all of the reported cases of malicious applications are either because of some third-party store or because they were loaded directly to the device.

Of the few times a fake or malicious application was found on these stores they were removed. The solution to malware on Android is before it gets onto the device, once infected like their big brother the personal computer, its type to wipe the device since it cannot be trusted.

Apple has approved a few malicious applications over the years so their approval process isn't perfect.

Finally dumped my Android phone, after a couple years of Hell. Couldn't be happier. Get an OS where you are the actual customer, not the product.

I get updates to my firmware, Google regularly push them out.Awful service & customer support? I've never experienced any, had an issue with a Play Store purchase once, got personal response within minutes of contacting them and the issue resolved the next day.Security issues? What security issues? People who've chosen to enable the option to allow the phone to install software from other sources... then they go and install untrusted software from untrusted sources? Me think they're issue. Nobody in normal use will come into contact with any of this and in people who allow the phone to install software from outside of Google Play wouldn't come into contact with this if they have 3 working braincells.

But thanks for your reply and you anti-google agenda'd closing sentence.

No upgrades to your software? Buy a Nexus. No bug fixes? Buy a Nexus. Crappy battery life? A Nexus is no worse than your random smartphone. Security issues? Use the Play Store and some !"#&)% common sense.

There are advantages to every platform. Just because you don't find Android's useful doesn't mean everyone who does is an idiot. You're just as shortsighted as those you're criticizing.

Verizon Still Hasn’t Given the Galaxy Nexus Any of the Last Three Android Updates

"Verizon’s version of the Galaxy Nexus is still three updates behind other Nexus devices. The delays in getting the Galaxy Nexus new software are somewhat surprising since the device is part of Google’s Nexus series that runs “pure Android” without any additional manufacturer software, so approval for updates should theoretically be a breeze."

And throwing 1500 malicious apps at a jail broken iPhone would yield what results...

Just saying most users android and iphone get their apps from the stores... and not from some shady site...

Where these apps from the Google Play store?

It isn't so much that folks will get infected right now via those apps. Rather, if the scanner has such terrible results, new apps that do make it into the Google Play store that are malicious appear to have a likely chance of slipping through the scanner. Moreso for future exploits talk less of current exploits.

.. What does Apple have to do with this story? There is a security problem with Android. Several actually. You can of course avoid a lot of it by only using the Play Store, and not installing a different ROM. And live in the walled garden you rail against.

You're right, Apple doesn't have a thing to do with this story. But, to compare using an Android device strictly through the Android Play Store, and an Apple device, as both being in similar walled gardens is misleading. What you describe as the Android "walled garden" is open to developers without special approval from Google. Even the OS source code is available to other developers to improve and expand. Yes, it's a walled garden in the most strict sense, but it's rather like comparing your neighbor's suburban garden to the Butchart Gardens.

Finally dumped my Android phone, after a couple years of Hell. Couldn't be happier. Get an OS where you are the actual customer, not the product.

Those issues I can handle. In a spam filter, a false negative is better than a false positive. Malware in the store is better than legit software getting pulled. I don't want Apple or anyone else to be both Police and moral Judge on my purchases

Bad things happen to good people. There's a reason the new Nexus isn't LTE and doesn't work on Verizon.

Unfortunately, the only company that has been able to consistently bend Verizon's hand in this matter, is Apple. Kudos to them. And it took 4 years of losing profitable customers to AT&T for Verizon to open that exception.

Finally dumped my Android phone, after a couple years of Hell. Couldn't be happier. Get an OS where you are the actual customer, not the product.

Those issues I can handle. In a spam filter, a false negative is better than a false positive. Malware in the store is better than legit software getting pulled. I don't want Apple or anyone else to be both Police and moral Judge on my purchases

Get an OS where you are treated as an adult instead of a sheep.

Huh. Wanting a fast, smooth and reliable OS with great customer service is being a sheep. Imagine that. And choosing an OS, whose sole reason for existing is to sell the people that use it is being an adult. Google gives you free stuff, fattens you up for their real customers, treats you like garbage and you like it. And you're not the sheep here? Do tell.

Finally dumped my Android phone, after a couple years of Hell. Couldn't be happier. Get an OS where you are the actual customer, not the product.

With a trolling-type comment like that, you lose the opportunity to contribute anything constructive. Regardless, in response:

Google does its part - they do upgrade the OS, fixing bugs along the way. The manufacturers however, are the ones that make the devices and customize Android to work on them, so they have to take the updates/fixes and customize them for the devices. Very different situation from PCs with Windows, where MS can directly push out updates. Also very different from Apple, where they make the devices themselves and no changes are made downstream.

Carriers are to blame in part, because they specifically block some updates for no good reason. This is probably the biggest thing Apple did right, and quite a coup considering the power carriers wield over phones they sell. They stuck to their guns and didn't back down with Verizon refused their terms, hence ATT being the first iPhone carrier.

Battery life is comparable to many Android phones. But if someone buys a $150 phone, it isn't valid to compare it to a $600 iPhone.

No apologies for the faults with Google's approach - some things about it are great, others suck big-time. But it is what it is, and fortunately we have other choices like iOS and Windows Phone. I've had iPhone and Android and they both have their pluses and minuses.

As to the article, it would be nice to have an idea how good Google Play's scanner is at detecting malware coming from Play itself. That would tell us what the situation is like for the majority of users, which just use Google's store. And if third-party AV apps can do a better job, they must be handling the privacy concerns somehow. Seems there's room for Google to improve that part of it. Heck, Maps wants every permission available (sending text messages? really?).

Bad things happen to good people. There's a reason the new Nexus isn't LTE and doesn't work on Verizon.

Unfortunately, the only company that has been able to consistently bend Verizon's hand in this matter, is Apple. Kudos to them. And it took 4 years of losing profitable customers to AT&T for Verizon to open that exception.

You can vilify Google all you want for trying.

I don't get it... he proved your comment was fundamentally wrong. Yet somehow it's not fundamentally wrong? Either Nexus devices get updates or they don't. The fact that Apple was able to bend Verizon's hand should, in fact, be evidence that Google doesn't care as much about your user experience as Apple does. Apple was willing to forego Verizon revenue in order to make things better for the user. There are some benefits to Apple's "we know best" philosophy. And one of those benefits is that often they do actually give the user an experience that is better than competitors, even at a cost to themselves. This is one such example.

Huh. Wanting a fast, smooth and reliable OS with great customer service is being a sheep.

Having someone else choose what apps you can use and blindly accepting that is being a sheep.

Scannall wrote:

And choosing an OS, whose sole reason for existing is to sell the people that use it is being an adult. Google gives you free stuff, fattens you up for their real customers, treats you like garbage and you like it. And you're not the sheep here? Do tell.

Yes, It doesn't matter what the OS was made for, It is open enough for me to use however I want to. Not so for iOS, whose creator actively opposes jailbreaking and arbitrarily limits my possibilities.I like to own my phone, including the OS. With iOS, it's not possible.

Downloading untrusted files is the issue rather than Android, to be able to do this you need to take extra steps, this ensures it doesn't happen to the uninitiated and anyone who does decide to download untrusted files from untrusted sources can't be protected anyway.

Anyway, I'm sure Google can tighten up this scanning process no doubt they will, but in the meantime I'm yet to see anyone outside of lab conditions, Apple fanboy posts or anti-virus vendors marketing have an issue and considering Android's ridiculously large install-base & speed of growth is pretty impressive.

Finally dumped my Android phone, after a couple years of Hell. Couldn't be happier. Get an OS where you are the actual customer, not the product.

How bad they treat me? My Galaxy Note is amazing. I've had it running Jellybean since JB's release. Custom ROM, of course, but this was my choice when I purchased the Note - I knew official OS updates would happen slowly. If fast OS updates by the manufacturer/carrier were my goal, I would have purchased a Nexus phone - then I'd be rocking official OS updates far faster than, say, iOS devices.

My Note gets better battery life than my iPhone 4 did. And sports a removable battery - so I can install a higher capacity battery if I wish, or replace an aging one that no longer holds a charge as well.

As for the overall topic of the thread, security issues... I'm not seeing one. My Android phone is exactly like my desktop: I can choose to only use vetted apps, or I can elect to get apps from custom sources, with the knowledge that they are unverified, leaving that up to me.

Not allowing your users to make that choice is not an advantage in my books. Android is no less secure than iOS by default, it just allows users to choose the balance between restrictions and security like a desktop. I'd always rather be making that choice than having it made for me.

Finally dumped my Android phone, after a couple years of Hell. Couldn't be happier. Get an OS where you are the actual customer, not the product.

Those issues I can handle. In a spam filter, a false negative is better than a false positive. Malware in the store is better than legit software getting pulled. I don't want Apple or anyone else to be both Police and moral Judge on my purchases

Get an OS where you are treated as an adult instead of a sheep.

I'd rather get denied an app, legitimately, than be allowed to download malware legitimately; different priorities I suppose.

On the flip, however, your last line is insulting because there's nothing wrong with herd immunity (aka being a sheep) because it's a protective, defensive, and positive behavior.